vaspera 2.14.0 → 2.16.0
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- package/CHANGELOG.md +62 -0
- package/README.md +15 -2
- package/dist/__tests__/certification/agent-certificate-e2e.test.d.ts +2 -0
- package/dist/__tests__/certification/agent-certificate-e2e.test.d.ts.map +1 -0
- package/dist/__tests__/certification/agent-certificate-e2e.test.js +90 -0
- package/dist/__tests__/certification/agent-certificate-e2e.test.js.map +1 -0
- package/dist/__tests__/certification/agent-certificate-map.test.d.ts +2 -0
- package/dist/__tests__/certification/agent-certificate-map.test.d.ts.map +1 -0
- package/dist/__tests__/certification/agent-certificate-map.test.js +107 -0
- package/dist/__tests__/certification/agent-certificate-map.test.js.map +1 -0
- package/dist/__tests__/certification/agent-certificate.test.d.ts +2 -0
- package/dist/__tests__/certification/agent-certificate.test.d.ts.map +1 -0
- package/dist/__tests__/certification/agent-certificate.test.js +78 -0
- package/dist/__tests__/certification/agent-certificate.test.js.map +1 -0
- package/dist/__tests__/certification/verify-endpoint.test.d.ts +2 -0
- package/dist/__tests__/certification/verify-endpoint.test.d.ts.map +1 -0
- package/dist/__tests__/certification/verify-endpoint.test.js +81 -0
- package/dist/__tests__/certification/verify-endpoint.test.js.map +1 -0
- package/dist/__tests__/compliance/ai-frameworks.test.d.ts +2 -0
- package/dist/__tests__/compliance/ai-frameworks.test.d.ts.map +1 -0
- package/dist/__tests__/compliance/ai-frameworks.test.js +87 -0
- package/dist/__tests__/compliance/ai-frameworks.test.js.map +1 -0
- package/dist/__tests__/eval/llm-analyzer.test.d.ts +2 -0
- package/dist/__tests__/eval/llm-analyzer.test.d.ts.map +1 -0
- package/dist/__tests__/eval/llm-analyzer.test.js +93 -0
- package/dist/__tests__/eval/llm-analyzer.test.js.map +1 -0
- package/dist/__tests__/eval/redteam-harness.test.d.ts +2 -0
- package/dist/__tests__/eval/redteam-harness.test.d.ts.map +1 -0
- package/dist/__tests__/eval/redteam-harness.test.js +136 -0
- package/dist/__tests__/eval/redteam-harness.test.js.map +1 -0
- package/dist/__tests__/evidence/evidence.test.d.ts +2 -0
- package/dist/__tests__/evidence/evidence.test.d.ts.map +1 -0
- package/dist/__tests__/evidence/evidence.test.js +240 -0
- package/dist/__tests__/evidence/evidence.test.js.map +1 -0
- package/dist/__tests__/history/decisions.test.d.ts +2 -0
- package/dist/__tests__/history/decisions.test.d.ts.map +1 -0
- package/dist/__tests__/history/decisions.test.js +54 -0
- package/dist/__tests__/history/decisions.test.js.map +1 -0
- package/dist/__tests__/http-auth.test.d.ts +2 -0
- package/dist/__tests__/http-auth.test.d.ts.map +1 -0
- package/dist/__tests__/http-auth.test.js +55 -0
- package/dist/__tests__/http-auth.test.js.map +1 -0
- package/dist/__tests__/http-policy.test.d.ts +2 -0
- package/dist/__tests__/http-policy.test.d.ts.map +1 -0
- package/dist/__tests__/http-policy.test.js +69 -0
- package/dist/__tests__/http-policy.test.js.map +1 -0
- package/dist/__tests__/http-server-transport.test.d.ts +2 -0
- package/dist/__tests__/http-server-transport.test.d.ts.map +1 -0
- package/dist/__tests__/http-server-transport.test.js +132 -0
- package/dist/__tests__/http-server-transport.test.js.map +1 -0
- package/dist/__tests__/integration/destructive-guards.test.d.ts +2 -0
- package/dist/__tests__/integration/destructive-guards.test.d.ts.map +1 -0
- package/dist/__tests__/integration/destructive-guards.test.js +49 -0
- package/dist/__tests__/integration/destructive-guards.test.js.map +1 -0
- package/dist/__tests__/logger-redaction.test.d.ts +2 -0
- package/dist/__tests__/logger-redaction.test.d.ts.map +1 -0
- package/dist/__tests__/logger-redaction.test.js +74 -0
- package/dist/__tests__/logger-redaction.test.js.map +1 -0
- package/dist/__tests__/manifest-schema.test.d.ts +2 -0
- package/dist/__tests__/manifest-schema.test.d.ts.map +1 -0
- package/dist/__tests__/manifest-schema.test.js +43 -0
- package/dist/__tests__/manifest-schema.test.js.map +1 -0
- package/dist/__tests__/scanners/builtin-rules.test.d.ts +2 -0
- package/dist/__tests__/scanners/builtin-rules.test.d.ts.map +1 -0
- package/dist/__tests__/scanners/builtin-rules.test.js +51 -0
- package/dist/__tests__/scanners/builtin-rules.test.js.map +1 -0
- package/dist/__tests__/scanners/runtime/golden-path-runner.test.js +13 -1
- package/dist/__tests__/scanners/runtime/golden-path-runner.test.js.map +1 -1
- package/dist/__tests__/tool-guard.test.d.ts +2 -0
- package/dist/__tests__/tool-guard.test.d.ts.map +1 -0
- package/dist/__tests__/tool-guard.test.js +97 -0
- package/dist/__tests__/tool-guard.test.js.map +1 -0
- package/dist/__tests__/util/contained-file.test.d.ts +2 -0
- package/dist/__tests__/util/contained-file.test.d.ts.map +1 -0
- package/dist/__tests__/util/contained-file.test.js +78 -0
- package/dist/__tests__/util/contained-file.test.js.map +1 -0
- package/dist/__tests__/util/subprocess.test.d.ts +2 -0
- package/dist/__tests__/util/subprocess.test.d.ts.map +1 -0
- package/dist/__tests__/util/subprocess.test.js +48 -0
- package/dist/__tests__/util/subprocess.test.js.map +1 -0
- package/dist/action/diff-mode.d.ts.map +1 -1
- package/dist/action/diff-mode.js +31 -12
- package/dist/action/diff-mode.js.map +1 -1
- package/dist/certification/agent-certificate-map.d.ts +51 -0
- package/dist/certification/agent-certificate-map.d.ts.map +1 -0
- package/dist/certification/agent-certificate-map.js +265 -0
- package/dist/certification/agent-certificate-map.js.map +1 -0
- package/dist/certification/agent-certificate-sample.d.ts +25 -0
- package/dist/certification/agent-certificate-sample.d.ts.map +1 -0
- package/dist/certification/agent-certificate-sample.js +207 -0
- package/dist/certification/agent-certificate-sample.js.map +1 -0
- package/dist/certification/agent-certificate.d.ts +1981 -0
- package/dist/certification/agent-certificate.d.ts.map +1 -0
- package/dist/certification/agent-certificate.js +309 -0
- package/dist/certification/agent-certificate.js.map +1 -0
- package/dist/certification/autofix.d.ts.map +1 -1
- package/dist/certification/autofix.js +5 -3
- package/dist/certification/autofix.js.map +1 -1
- package/dist/certification/store.d.ts.map +1 -1
- package/dist/certification/store.js +5 -2
- package/dist/certification/store.js.map +1 -1
- package/dist/certification/verify-endpoint.d.ts +48 -0
- package/dist/certification/verify-endpoint.d.ts.map +1 -0
- package/dist/certification/verify-endpoint.js +79 -0
- package/dist/certification/verify-endpoint.js.map +1 -0
- package/dist/compliance/index.d.ts +2 -0
- package/dist/compliance/index.d.ts.map +1 -1
- package/dist/compliance/index.js +4 -0
- package/dist/compliance/index.js.map +1 -1
- package/dist/compliance/iso42001.d.ts +21 -0
- package/dist/compliance/iso42001.d.ts.map +1 -0
- package/dist/compliance/iso42001.js +160 -0
- package/dist/compliance/iso42001.js.map +1 -0
- package/dist/compliance/mapper.d.ts.map +1 -1
- package/dist/compliance/mapper.js +12 -0
- package/dist/compliance/mapper.js.map +1 -1
- package/dist/compliance/nist-ai-rmf.d.ts +20 -0
- package/dist/compliance/nist-ai-rmf.d.ts.map +1 -0
- package/dist/compliance/nist-ai-rmf.js +140 -0
- package/dist/compliance/nist-ai-rmf.js.map +1 -0
- package/dist/config/flags.d.ts +4 -4
- package/dist/eval/fixtures.d.ts.map +1 -1
- package/dist/eval/fixtures.js +161 -119
- package/dist/eval/fixtures.js.map +1 -1
- package/dist/eval/fixtures.test.js +4 -2
- package/dist/eval/fixtures.test.js.map +1 -1
- package/dist/eval/llm-analyzer.d.ts +40 -0
- package/dist/eval/llm-analyzer.d.ts.map +1 -0
- package/dist/eval/llm-analyzer.js +154 -0
- package/dist/eval/llm-analyzer.js.map +1 -0
- package/dist/eval/redteam-harness.d.ts +95 -0
- package/dist/eval/redteam-harness.d.ts.map +1 -0
- package/dist/eval/redteam-harness.js +137 -0
- package/dist/eval/redteam-harness.js.map +1 -0
- package/dist/evidence/collector.d.ts.map +1 -1
- package/dist/evidence/collector.js +21 -1
- package/dist/evidence/collector.js.map +1 -1
- package/dist/evidence/store.d.ts.map +1 -1
- package/dist/evidence/store.js +29 -5
- package/dist/evidence/store.js.map +1 -1
- package/dist/evidence/types.d.ts +16 -9
- package/dist/evidence/types.d.ts.map +1 -1
- package/dist/history/decisions.d.ts +63 -0
- package/dist/history/decisions.d.ts.map +1 -0
- package/dist/history/decisions.js +60 -0
- package/dist/history/decisions.js.map +1 -0
- package/dist/history/index.d.ts +2 -0
- package/dist/history/index.d.ts.map +1 -1
- package/dist/history/index.js +2 -0
- package/dist/history/index.js.map +1 -1
- package/dist/history/types.d.ts +34 -5
- package/dist/history/types.d.ts.map +1 -1
- package/dist/history/types.js +2 -0
- package/dist/history/types.js.map +1 -1
- package/dist/http-auth.d.ts +22 -0
- package/dist/http-auth.d.ts.map +1 -0
- package/dist/http-auth.js +58 -0
- package/dist/http-auth.js.map +1 -0
- package/dist/http-policy.d.ts +30 -0
- package/dist/http-policy.d.ts.map +1 -0
- package/dist/http-policy.js +54 -0
- package/dist/http-policy.js.map +1 -0
- package/dist/http-server.js +195 -12
- package/dist/http-server.js.map +1 -1
- package/dist/index.d.ts.map +1 -1
- package/dist/index.js +257 -16
- package/dist/index.js.map +1 -1
- package/dist/logger.d.ts.map +1 -1
- package/dist/logger.js +56 -2
- package/dist/logger.js.map +1 -1
- package/dist/plugins/types.d.ts +2 -2
- package/dist/scanners/agent/prompt-injection-fuzzer.d.ts.map +1 -1
- package/dist/scanners/agent/prompt-injection-fuzzer.js +26 -0
- package/dist/scanners/agent/prompt-injection-fuzzer.js.map +1 -1
- package/dist/scanners/agent/types.d.ts +10 -10
- package/dist/scanners/bandit.d.ts.map +1 -1
- package/dist/scanners/bandit.js +35 -29
- package/dist/scanners/bandit.js.map +1 -1
- package/dist/scanners/binary-analysis.d.ts.map +1 -1
- package/dist/scanners/binary-analysis.js +24 -49
- package/dist/scanners/binary-analysis.js.map +1 -1
- package/dist/scanners/brakeman.d.ts.map +1 -1
- package/dist/scanners/brakeman.js +19 -33
- package/dist/scanners/brakeman.js.map +1 -1
- package/dist/scanners/builtin-rules.d.ts +24 -0
- package/dist/scanners/builtin-rules.d.ts.map +1 -0
- package/dist/scanners/builtin-rules.js +175 -0
- package/dist/scanners/builtin-rules.js.map +1 -0
- package/dist/scanners/dast.d.ts.map +1 -1
- package/dist/scanners/dast.js +24 -34
- package/dist/scanners/dast.js.map +1 -1
- package/dist/scanners/deploy/types.d.ts +6 -6
- package/dist/scanners/eslint.d.ts.map +1 -1
- package/dist/scanners/eslint.js +15 -24
- package/dist/scanners/eslint.js.map +1 -1
- package/dist/scanners/gosec.d.ts.map +1 -1
- package/dist/scanners/gosec.js +14 -62
- package/dist/scanners/gosec.js.map +1 -1
- package/dist/scanners/index.d.ts.map +1 -1
- package/dist/scanners/index.js +38 -7
- package/dist/scanners/index.js.map +1 -1
- package/dist/scanners/memory-safety.d.ts.map +1 -1
- package/dist/scanners/memory-safety.js +27 -28
- package/dist/scanners/memory-safety.js.map +1 -1
- package/dist/scanners/openapi.d.ts.map +1 -1
- package/dist/scanners/openapi.js +14 -22
- package/dist/scanners/openapi.js.map +1 -1
- package/dist/scanners/race-condition.d.ts.map +1 -1
- package/dist/scanners/race-condition.js +17 -16
- package/dist/scanners/race-condition.js.map +1 -1
- package/dist/scanners/runtime/types.d.ts +4 -4
- package/dist/scanners/rust.d.ts.map +1 -1
- package/dist/scanners/rust.js +38 -37
- package/dist/scanners/rust.js.map +1 -1
- package/dist/scanners/scale/types.d.ts +16 -16
- package/dist/scanners/secrets.d.ts.map +1 -1
- package/dist/scanners/secrets.js +66 -78
- package/dist/scanners/secrets.js.map +1 -1
- package/dist/scanners/semgrep.d.ts +2 -0
- package/dist/scanners/semgrep.d.ts.map +1 -1
- package/dist/scanners/semgrep.js +12 -0
- package/dist/scanners/semgrep.js.map +1 -1
- package/dist/scanners/terraform.d.ts.map +1 -1
- package/dist/scanners/terraform.js +47 -40
- package/dist/scanners/terraform.js.map +1 -1
- package/dist/scanners/trivy.d.ts.map +1 -1
- package/dist/scanners/trivy.js +38 -30
- package/dist/scanners/trivy.js.map +1 -1
- package/dist/telemetry/install-id.d.ts +25 -0
- package/dist/telemetry/install-id.d.ts.map +1 -0
- package/dist/telemetry/install-id.js +49 -0
- package/dist/telemetry/install-id.js.map +1 -0
- package/dist/telemetry/usage.d.ts +19 -2
- package/dist/telemetry/usage.d.ts.map +1 -1
- package/dist/telemetry/usage.js +44 -8
- package/dist/telemetry/usage.js.map +1 -1
- package/dist/tool-guard.d.ts +40 -0
- package/dist/tool-guard.d.ts.map +1 -0
- package/dist/tool-guard.js +55 -0
- package/dist/tool-guard.js.map +1 -0
- package/dist/util/index.d.ts +2 -1
- package/dist/util/index.d.ts.map +1 -1
- package/dist/util/index.js +2 -1
- package/dist/util/index.js.map +1 -1
- package/dist/util/paths.d.ts +20 -3
- package/dist/util/paths.d.ts.map +1 -1
- package/dist/util/paths.js +84 -4
- package/dist/util/paths.js.map +1 -1
- package/dist/util/subprocess.d.ts +51 -0
- package/dist/util/subprocess.d.ts.map +1 -0
- package/dist/util/subprocess.js +77 -0
- package/dist/util/subprocess.js.map +1 -0
- package/package.json +12 -2
- package/dist/eval/fixtures/healthcare/audit-gaps.d.ts +0 -28
- package/dist/eval/fixtures/healthcare/audit-gaps.d.ts.map +0 -1
- package/dist/eval/fixtures/healthcare/audit-gaps.js +0 -90
- package/dist/eval/fixtures/healthcare/audit-gaps.js.map +0 -1
- package/dist/eval/fixtures/healthcare/consent-bypass.d.ts +0 -31
- package/dist/eval/fixtures/healthcare/consent-bypass.d.ts.map +0 -1
- package/dist/eval/fixtures/healthcare/consent-bypass.js +0 -61
- package/dist/eval/fixtures/healthcare/consent-bypass.js.map +0 -1
- package/dist/eval/fixtures/healthcare/phi-in-logs.d.ts +0 -24
- package/dist/eval/fixtures/healthcare/phi-in-logs.d.ts.map +0 -1
- package/dist/eval/fixtures/healthcare/phi-in-logs.js +0 -41
- package/dist/eval/fixtures/healthcare/phi-in-logs.js.map +0 -1
|
@@ -0,0 +1,51 @@
|
|
|
1
|
+
/**
|
|
2
|
+
* Map a completed Certification into an Agent Certificate body.
|
|
3
|
+
*
|
|
4
|
+
* Turns a real certification run (findings, scores, level, project hash)
|
|
5
|
+
* into the six-dimension certificate — no fabricated data. Dimensions not
|
|
6
|
+
* covered by the current engine (compliance frameworks, runtime decision
|
|
7
|
+
* provenance) are reported as `not_assessed` rather than invented, so the
|
|
8
|
+
* certificate never overstates what was actually checked.
|
|
9
|
+
*
|
|
10
|
+
* @module certification/agent-certificate-map
|
|
11
|
+
*/
|
|
12
|
+
import type { AgentCertificateBody } from "./agent-certificate.js";
|
|
13
|
+
import type { Certification, Finding } from "./types.js";
|
|
14
|
+
import type { ComplianceFramework } from "../compliance/types.js";
|
|
15
|
+
type ComplianceDimension = AgentCertificateBody["dimensions"]["compliance"];
|
|
16
|
+
/**
|
|
17
|
+
* Evaluate the requested compliance frameworks against the findings,
|
|
18
|
+
* producing the certificate's compliance dimension. Reuses the existing
|
|
19
|
+
* compliance mapper (so ISO 42001 / NIST AI RMF are real control
|
|
20
|
+
* mappings, not labels).
|
|
21
|
+
*/
|
|
22
|
+
export declare function buildComplianceDimension(findings: Finding[], frameworks: ComplianceFramework[]): ComplianceDimension;
|
|
23
|
+
export interface MapOptions {
|
|
24
|
+
toolVersion: string;
|
|
25
|
+
issuedAt: string;
|
|
26
|
+
expiresAt: string;
|
|
27
|
+
certificateId: string;
|
|
28
|
+
/** Frameworks to evaluate for the compliance dimension (e.g. ISO-42001). */
|
|
29
|
+
complianceFrameworks?: ComplianceFramework[];
|
|
30
|
+
/** Decision-provenance anchor (audit-trail head + record count). */
|
|
31
|
+
provenance?: {
|
|
32
|
+
auditTrailHead?: string;
|
|
33
|
+
decisionRecords?: number;
|
|
34
|
+
};
|
|
35
|
+
}
|
|
36
|
+
export interface BaselineOptions extends MapOptions {
|
|
37
|
+
subjectName: string;
|
|
38
|
+
subjectKind: "agent" | "mcp-server" | "codebase";
|
|
39
|
+
identifier: string;
|
|
40
|
+
}
|
|
41
|
+
/**
|
|
42
|
+
* A baseline certificate body for a subject with no certification run yet
|
|
43
|
+
* — every dimension is `not_assessed` (honest, never fabricated).
|
|
44
|
+
*/
|
|
45
|
+
export declare function baselineCertificateBody(options: BaselineOptions): AgentCertificateBody;
|
|
46
|
+
/**
|
|
47
|
+
* Build a certificate body from a completed certification.
|
|
48
|
+
*/
|
|
49
|
+
export declare function certificationToCertificateBody(cert: Certification, options: MapOptions): AgentCertificateBody;
|
|
50
|
+
export {};
|
|
51
|
+
//# sourceMappingURL=agent-certificate-map.d.ts.map
|
|
@@ -0,0 +1 @@
|
|
|
1
|
+
{"version":3,"file":"agent-certificate-map.d.ts","sourceRoot":"","sources":["../../src/certification/agent-certificate-map.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;GAUG;AAGH,OAAO,KAAK,EAAE,oBAAoB,EAAmB,MAAM,wBAAwB,CAAC;AACpF,OAAO,KAAK,EACV,aAAa,EACb,OAAO,EAIR,MAAM,YAAY,CAAC;AAEpB,OAAO,KAAK,EAAE,mBAAmB,EAAE,MAAM,wBAAwB,CAAC;AAElE,KAAK,mBAAmB,GAAG,oBAAoB,CAAC,YAAY,CAAC,CAAC,YAAY,CAAC,CAAC;AAyG5E;;;;;GAKG;AACH,wBAAgB,wBAAwB,CACtC,QAAQ,EAAE,OAAO,EAAE,EACnB,UAAU,EAAE,mBAAmB,EAAE,GAChC,mBAAmB,CAgDrB;AAED,MAAM,WAAW,UAAU;IACzB,WAAW,EAAE,MAAM,CAAC;IACpB,QAAQ,EAAE,MAAM,CAAC;IACjB,SAAS,EAAE,MAAM,CAAC;IAClB,aAAa,EAAE,MAAM,CAAC;IACtB,4EAA4E;IAC5E,oBAAoB,CAAC,EAAE,mBAAmB,EAAE,CAAC;IAC7C,oEAAoE;IACpE,UAAU,CAAC,EAAE;QAAE,cAAc,CAAC,EAAE,MAAM,CAAC;QAAC,eAAe,CAAC,EAAE,MAAM,CAAA;KAAE,CAAC;CACpE;AAED,MAAM,WAAW,eAAgB,SAAQ,UAAU;IACjD,WAAW,EAAE,MAAM,CAAC;IACpB,WAAW,EAAE,OAAO,GAAG,YAAY,GAAG,UAAU,CAAC;IACjD,UAAU,EAAE,MAAM,CAAC;CACpB;AAED;;;GAGG;AACH,wBAAgB,uBAAuB,CAAC,OAAO,EAAE,eAAe,GAAG,oBAAoB,CAoCtF;AAED;;GAEG;AACH,wBAAgB,8BAA8B,CAC5C,IAAI,EAAE,aAAa,EACnB,OAAO,EAAE,UAAU,GAClB,oBAAoB,CAkFtB"}
|
|
@@ -0,0 +1,265 @@
|
|
|
1
|
+
/**
|
|
2
|
+
* Map a completed Certification into an Agent Certificate body.
|
|
3
|
+
*
|
|
4
|
+
* Turns a real certification run (findings, scores, level, project hash)
|
|
5
|
+
* into the six-dimension certificate — no fabricated data. Dimensions not
|
|
6
|
+
* covered by the current engine (compliance frameworks, runtime decision
|
|
7
|
+
* provenance) are reported as `not_assessed` rather than invented, so the
|
|
8
|
+
* certificate never overstates what was actually checked.
|
|
9
|
+
*
|
|
10
|
+
* @module certification/agent-certificate-map
|
|
11
|
+
*/
|
|
12
|
+
import { AGENT_CERTIFICATE_SCHEMA } from "./agent-certificate.js";
|
|
13
|
+
import { mapFindingsToControls } from "../compliance/mapper.js";
|
|
14
|
+
const SEVERITY_RANK = {
|
|
15
|
+
critical: 4,
|
|
16
|
+
high: 3,
|
|
17
|
+
medium: 2,
|
|
18
|
+
low: 1,
|
|
19
|
+
info: 0,
|
|
20
|
+
};
|
|
21
|
+
function checkStatusForSeverity(severity) {
|
|
22
|
+
if (severity === "critical" || severity === "high")
|
|
23
|
+
return "fail";
|
|
24
|
+
if (severity === "medium")
|
|
25
|
+
return "warn";
|
|
26
|
+
return "pass";
|
|
27
|
+
}
|
|
28
|
+
function gatherFindings(cert, agents) {
|
|
29
|
+
const out = [];
|
|
30
|
+
for (const agent of agents) {
|
|
31
|
+
const data = cert.agents[agent];
|
|
32
|
+
if (data?.findings)
|
|
33
|
+
out.push(...data.findings);
|
|
34
|
+
}
|
|
35
|
+
return out;
|
|
36
|
+
}
|
|
37
|
+
function dimensionFromFindings(findings, score, label) {
|
|
38
|
+
const critical = findings.filter((f) => f.severity === "critical").length;
|
|
39
|
+
const high = findings.filter((f) => f.severity === "high").length;
|
|
40
|
+
const status = critical > 0 || high > 0 ? "fail" : findings.length > 0 ? "warn" : "pass";
|
|
41
|
+
// Surface the most severe findings first, capped so a certificate stays
|
|
42
|
+
// a summary, not a full report.
|
|
43
|
+
const checks = [...findings]
|
|
44
|
+
.sort((a, b) => SEVERITY_RANK[b.severity] - SEVERITY_RANK[a.severity])
|
|
45
|
+
.slice(0, 10)
|
|
46
|
+
.map((f) => ({
|
|
47
|
+
id: f.id,
|
|
48
|
+
title: f.description.slice(0, 140),
|
|
49
|
+
status: checkStatusForSeverity(f.severity),
|
|
50
|
+
severity: f.severity,
|
|
51
|
+
category: String(f.category),
|
|
52
|
+
...(f.file ? { detail: `${f.file}${f.line ? `:${f.line}` : ""}` } : {}),
|
|
53
|
+
}));
|
|
54
|
+
return {
|
|
55
|
+
status,
|
|
56
|
+
score: Math.max(0, Math.min(100, score)),
|
|
57
|
+
summary: `${label}: ${findings.length} finding(s) (${critical} critical, ${high} high).`,
|
|
58
|
+
checks,
|
|
59
|
+
};
|
|
60
|
+
}
|
|
61
|
+
function notAssessed(reason) {
|
|
62
|
+
return { status: "not_assessed", score: 0, summary: reason, checks: [] };
|
|
63
|
+
}
|
|
64
|
+
function buildExplainabilityDimension(projectHash, decisionRecords) {
|
|
65
|
+
const checks = [];
|
|
66
|
+
if (projectHash) {
|
|
67
|
+
checks.push({
|
|
68
|
+
id: "project-hash",
|
|
69
|
+
title: "Certification bound to a project content hash",
|
|
70
|
+
status: "pass",
|
|
71
|
+
});
|
|
72
|
+
}
|
|
73
|
+
if (decisionRecords > 0) {
|
|
74
|
+
checks.push({
|
|
75
|
+
id: "decision-provenance",
|
|
76
|
+
title: `${decisionRecords} AI decision(s) recorded on the tamper-evident hash chain`,
|
|
77
|
+
status: "pass",
|
|
78
|
+
});
|
|
79
|
+
}
|
|
80
|
+
if (checks.length === 0) {
|
|
81
|
+
return notAssessed("No project hash or decision records captured.");
|
|
82
|
+
}
|
|
83
|
+
// Stronger explainability when decisions are actually traced.
|
|
84
|
+
const score = decisionRecords > 0 ? 90 : 75;
|
|
85
|
+
return {
|
|
86
|
+
status: "pass",
|
|
87
|
+
score,
|
|
88
|
+
summary: decisionRecords > 0
|
|
89
|
+
? `Tamper-evident audit trail with ${decisionRecords} hash-chained decision record(s).`
|
|
90
|
+
: "Certification bound to a project content hash; audit trail is tamper-evident.",
|
|
91
|
+
checks,
|
|
92
|
+
};
|
|
93
|
+
}
|
|
94
|
+
function allFindings(cert) {
|
|
95
|
+
const out = [];
|
|
96
|
+
for (const agent of Object.keys(cert.agents)) {
|
|
97
|
+
const data = cert.agents[agent];
|
|
98
|
+
if (data?.findings)
|
|
99
|
+
out.push(...data.findings);
|
|
100
|
+
}
|
|
101
|
+
return out;
|
|
102
|
+
}
|
|
103
|
+
/**
|
|
104
|
+
* Evaluate the requested compliance frameworks against the findings,
|
|
105
|
+
* producing the certificate's compliance dimension. Reuses the existing
|
|
106
|
+
* compliance mapper (so ISO 42001 / NIST AI RMF are real control
|
|
107
|
+
* mappings, not labels).
|
|
108
|
+
*/
|
|
109
|
+
export function buildComplianceDimension(findings, frameworks) {
|
|
110
|
+
const results = frameworks.map((framework) => {
|
|
111
|
+
const mapped = mapFindingsToControls(findings, framework);
|
|
112
|
+
const satisfied = mapped.filter((c) => c.status === "compliant").length;
|
|
113
|
+
const atRisk = mapped.filter((c) => c.status === "at_risk").length;
|
|
114
|
+
const failed = mapped.filter((c) => c.status === "non_compliant").length;
|
|
115
|
+
return {
|
|
116
|
+
framework,
|
|
117
|
+
controlsTotal: mapped.length,
|
|
118
|
+
controlsSatisfied: satisfied,
|
|
119
|
+
controlsAtRisk: atRisk,
|
|
120
|
+
controlsFailed: failed,
|
|
121
|
+
controls: mapped.map((c) => ({
|
|
122
|
+
controlId: c.control.id,
|
|
123
|
+
title: c.control.title,
|
|
124
|
+
status: (c.status === "compliant"
|
|
125
|
+
? "satisfied"
|
|
126
|
+
: c.status === "at_risk"
|
|
127
|
+
? "at_risk"
|
|
128
|
+
: "failed"),
|
|
129
|
+
})),
|
|
130
|
+
};
|
|
131
|
+
});
|
|
132
|
+
const totalControls = results.reduce((n, r) => n + r.controlsTotal, 0);
|
|
133
|
+
const anyFailed = results.some((r) => r.controlsFailed > 0);
|
|
134
|
+
const anyAtRisk = results.some((r) => r.controlsAtRisk > 0);
|
|
135
|
+
const status = anyFailed
|
|
136
|
+
? "fail"
|
|
137
|
+
: anyAtRisk
|
|
138
|
+
? "warn"
|
|
139
|
+
: "pass";
|
|
140
|
+
// Score = % of controls not failed, across all frameworks.
|
|
141
|
+
const failedTotal = results.reduce((n, r) => n + r.controlsFailed, 0);
|
|
142
|
+
const score = totalControls === 0
|
|
143
|
+
? 0
|
|
144
|
+
: Math.round(((totalControls - failedTotal) / totalControls) * 100);
|
|
145
|
+
return {
|
|
146
|
+
status: totalControls === 0 ? "not_assessed" : status,
|
|
147
|
+
score,
|
|
148
|
+
summary: totalControls === 0
|
|
149
|
+
? "No controls evaluated for the requested frameworks."
|
|
150
|
+
: `Mapped findings to ${frameworks.join(", ")}: ${failedTotal} failed / ${totalControls} controls.`,
|
|
151
|
+
frameworks: results,
|
|
152
|
+
};
|
|
153
|
+
}
|
|
154
|
+
/**
|
|
155
|
+
* A baseline certificate body for a subject with no certification run yet
|
|
156
|
+
* — every dimension is `not_assessed` (honest, never fabricated).
|
|
157
|
+
*/
|
|
158
|
+
export function baselineCertificateBody(options) {
|
|
159
|
+
const na = {
|
|
160
|
+
status: "not_assessed",
|
|
161
|
+
score: 0,
|
|
162
|
+
summary: "Not assessed — run a certification first.",
|
|
163
|
+
checks: [],
|
|
164
|
+
};
|
|
165
|
+
return {
|
|
166
|
+
schemaVersion: AGENT_CERTIFICATE_SCHEMA,
|
|
167
|
+
certificateId: options.certificateId,
|
|
168
|
+
subject: {
|
|
169
|
+
kind: options.subjectKind,
|
|
170
|
+
name: options.subjectName,
|
|
171
|
+
identifier: options.identifier,
|
|
172
|
+
},
|
|
173
|
+
issuer: {
|
|
174
|
+
name: "Vaspera",
|
|
175
|
+
tool: "vaspera-hardening-mcp",
|
|
176
|
+
toolVersion: options.toolVersion,
|
|
177
|
+
actor: { type: "system", id: "vaspera-certification" },
|
|
178
|
+
},
|
|
179
|
+
issuedAt: options.issuedAt,
|
|
180
|
+
expiresAt: options.expiresAt,
|
|
181
|
+
level: "REVIEW_REQUIRED",
|
|
182
|
+
overallScore: 0,
|
|
183
|
+
dimensions: {
|
|
184
|
+
security: na,
|
|
185
|
+
scalability: na,
|
|
186
|
+
quality: na,
|
|
187
|
+
explainability: na,
|
|
188
|
+
compliance: { status: "not_assessed", score: 0, summary: na.summary, frameworks: [] },
|
|
189
|
+
aiBom: { status: "not_assessed", score: 0, summary: na.summary, components: [] },
|
|
190
|
+
},
|
|
191
|
+
provenance: { decisionRecords: 0 },
|
|
192
|
+
evidence: [],
|
|
193
|
+
};
|
|
194
|
+
}
|
|
195
|
+
/**
|
|
196
|
+
* Build a certificate body from a completed certification.
|
|
197
|
+
*/
|
|
198
|
+
export function certificationToCertificateBody(cert, options) {
|
|
199
|
+
const meta = cert.metadata;
|
|
200
|
+
const score = meta.final_score ?? 0;
|
|
201
|
+
const level = meta.certification_level ?? "REVIEW_REQUIRED";
|
|
202
|
+
const securityFindings = gatherFindings(cert, [
|
|
203
|
+
"security",
|
|
204
|
+
"redteam",
|
|
205
|
+
"adversary",
|
|
206
|
+
"agent-redteam",
|
|
207
|
+
"agent-privacy",
|
|
208
|
+
]);
|
|
209
|
+
const qualityFindings = gatherFindings(cert, ["quality", "typesafety"]);
|
|
210
|
+
const scalabilityFindings = gatherFindings(cert, ["reliability", "performance"]);
|
|
211
|
+
const agentScore = (agent) => cert.agents[agent]?.summary?.confidence_score ?? score;
|
|
212
|
+
const ranAgents = Object.keys(cert.agents).filter((a) => cert.agents[a]?.status === "completed");
|
|
213
|
+
return {
|
|
214
|
+
schemaVersion: AGENT_CERTIFICATE_SCHEMA,
|
|
215
|
+
certificateId: options.certificateId,
|
|
216
|
+
subject: {
|
|
217
|
+
kind: "codebase",
|
|
218
|
+
name: meta.project_name,
|
|
219
|
+
identifier: meta.project_path,
|
|
220
|
+
digest: meta.project_hash,
|
|
221
|
+
},
|
|
222
|
+
issuer: {
|
|
223
|
+
name: "Vaspera",
|
|
224
|
+
tool: "vaspera-hardening-mcp",
|
|
225
|
+
toolVersion: options.toolVersion,
|
|
226
|
+
actor: { type: "system", id: "vaspera-certification" },
|
|
227
|
+
},
|
|
228
|
+
issuedAt: options.issuedAt,
|
|
229
|
+
expiresAt: options.expiresAt,
|
|
230
|
+
level,
|
|
231
|
+
overallScore: Math.max(0, Math.min(100, score)),
|
|
232
|
+
dimensions: {
|
|
233
|
+
security: dimensionFromFindings(securityFindings, agentScore("security"), "Security"),
|
|
234
|
+
scalability: scalabilityFindings.length
|
|
235
|
+
? dimensionFromFindings(scalabilityFindings, agentScore("reliability"), "Scalability")
|
|
236
|
+
: notAssessed("No reliability/performance agent run in this certification."),
|
|
237
|
+
quality: dimensionFromFindings(qualityFindings, agentScore("quality"), "Quality"),
|
|
238
|
+
explainability: buildExplainabilityDimension(meta.project_hash, options.provenance?.decisionRecords ?? 0),
|
|
239
|
+
compliance: options.complianceFrameworks && options.complianceFrameworks.length > 0
|
|
240
|
+
? buildComplianceDimension(allFindings(cert), options.complianceFrameworks)
|
|
241
|
+
: {
|
|
242
|
+
status: "not_assessed",
|
|
243
|
+
score: 0,
|
|
244
|
+
summary: "No compliance frameworks requested (pass complianceFrameworks, e.g. ISO-42001, NIST-AI-RMF).",
|
|
245
|
+
frameworks: [],
|
|
246
|
+
},
|
|
247
|
+
aiBom: {
|
|
248
|
+
status: ranAgents.length ? "pass" : "not_assessed",
|
|
249
|
+
score: ranAgents.length ? 75 : 0,
|
|
250
|
+
summary: `${ranAgents.length} analysis agent(s) enumerated.`,
|
|
251
|
+
components: ranAgents.map((a) => ({
|
|
252
|
+
name: a,
|
|
253
|
+
kind: "tool",
|
|
254
|
+
role: "certification agent",
|
|
255
|
+
})),
|
|
256
|
+
},
|
|
257
|
+
},
|
|
258
|
+
provenance: options.provenance ?? {
|
|
259
|
+
...(meta.project_hash ? { auditTrailHead: meta.project_hash } : {}),
|
|
260
|
+
decisionRecords: 0,
|
|
261
|
+
},
|
|
262
|
+
evidence: [],
|
|
263
|
+
};
|
|
264
|
+
}
|
|
265
|
+
//# sourceMappingURL=agent-certificate-map.js.map
|
|
@@ -0,0 +1 @@
|
|
|
1
|
+
{"version":3,"file":"agent-certificate-map.js","sourceRoot":"","sources":["../../src/certification/agent-certificate-map.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;GAUG;AAEH,OAAO,EAAE,wBAAwB,EAAE,MAAM,wBAAwB,CAAC;AASlE,OAAO,EAAE,qBAAqB,EAAE,MAAM,yBAAyB,CAAC;AAKhE,MAAM,aAAa,GAA6B;IAC9C,QAAQ,EAAE,CAAC;IACX,IAAI,EAAE,CAAC;IACP,MAAM,EAAE,CAAC;IACT,GAAG,EAAE,CAAC;IACN,IAAI,EAAE,CAAC;CACR,CAAC;AAEF,SAAS,sBAAsB,CAAC,QAAkB;IAChD,IAAI,QAAQ,KAAK,UAAU,IAAI,QAAQ,KAAK,MAAM;QAAE,OAAO,MAAM,CAAC;IAClE,IAAI,QAAQ,KAAK,QAAQ;QAAE,OAAO,MAAM,CAAC;IACzC,OAAO,MAAM,CAAC;AAChB,CAAC;AAED,SAAS,cAAc,CAAC,IAAmB,EAAE,MAAmB;IAC9D,MAAM,GAAG,GAAc,EAAE,CAAC;IAC1B,KAAK,MAAM,KAAK,IAAI,MAAM,EAAE,CAAC;QAC3B,MAAM,IAAI,GAAG,IAAI,CAAC,MAAM,CAAC,KAAK,CAAC,CAAC;QAChC,IAAI,IAAI,EAAE,QAAQ;YAAE,GAAG,CAAC,IAAI,CAAC,GAAG,IAAI,CAAC,QAAQ,CAAC,CAAC;IACjD,CAAC;IACD,OAAO,GAAG,CAAC;AACb,CAAC;AAED,SAAS,qBAAqB,CAC5B,QAAmB,EACnB,KAAa,EACb,KAAa;IAEb,MAAM,QAAQ,GAAG,QAAQ,CAAC,MAAM,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,QAAQ,KAAK,UAAU,CAAC,CAAC,MAAM,CAAC;IAC1E,MAAM,IAAI,GAAG,QAAQ,CAAC,MAAM,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,QAAQ,KAAK,MAAM,CAAC,CAAC,MAAM,CAAC;IAClE,MAAM,MAAM,GACV,QAAQ,GAAG,CAAC,IAAI,IAAI,GAAG,CAAC,CAAC,CAAC,CAAC,MAAM,CAAC,CAAC,CAAC,QAAQ,CAAC,MAAM,GAAG,CAAC,CAAC,CAAC,CAAC,MAAM,CAAC,CAAC,CAAC,MAAM,CAAC;IAE5E,wEAAwE;IACxE,gCAAgC;IAChC,MAAM,MAAM,GAAG,CAAC,GAAG,QAAQ,CAAC;SACzB,IAAI,CAAC,CAAC,CAAC,EAAE,CAAC,EAAE,EAAE,CAAC,aAAa,CAAC,CAAC,CAAC,QAAQ,CAAC,GAAG,aAAa,CAAC,CAAC,CAAC,QAAQ,CAAC,CAAC;SACrE,KAAK,CAAC,CAAC,EAAE,EAAE,CAAC;SACZ,GAAG,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC;QACX,EAAE,EAAE,CAAC,CAAC,EAAE;QACR,KAAK,EAAE,CAAC,CAAC,WAAW,CAAC,KAAK,CAAC,CAAC,EAAE,GAAG,CAAC;QAClC,MAAM,EAAE,sBAAsB,CAAC,CAAC,CAAC,QAAQ,CAAC;QAC1C,QAAQ,EAAE,CAAC,CAAC,QAAQ;QACpB,QAAQ,EAAE,MAAM,CAAC,CAAC,CAAC,QAAQ,CAAC;QAC5B,GAAG,CAAC,CAAC,CAAC,IAAI,CAAC,CAAC,CAAC,EAAE,MAAM,EAAE,GAAG,CAAC,CAAC,IAAI,GAAG,CAAC,CAAC,IAAI,CAAC,CAAC,CAAC,IAAI,CAAC,CAAC,IAAI,EAAE,CAAC,CAAC,CAAC,EAAE,EAAE,EAAE,CAAC,CAAC,CAAC,EAAE,CAAC;KACxE,CAAC,CAAC,CAAC;IAEN,OAAO;QACL,MAAM;QACN,KAAK,EAAE,IAAI,CAAC,GAAG,CAAC,CAAC,EAAE,IAAI,CAAC,GAAG,CAAC,GAAG,EAAE,KAAK,CAAC,CAAC;QACxC,OAAO,EAAE,GAAG,KAAK,KAAK,QAAQ,CAAC,MAAM,gBAAgB,QAAQ,cAAc,IAAI,SAAS;QACxF,MAAM;KACP,CAAC;AACJ,CAAC;AAED,SAAS,WAAW,CAAC,MAAc;IACjC,OAAO,EAAE,MAAM,EAAE,cAAc,EAAE,KAAK,EAAE,CAAC,EAAE,OAAO,EAAE,MAAM,EAAE,MAAM,EAAE,EAAE,EAAE,CAAC;AAC3E,CAAC;AAED,SAAS,4BAA4B,CACnC,WAA+B,EAC/B,eAAuB;IAEvB,MAAM,MAAM,GAA8B,EAAE,CAAC;IAC7C,IAAI,WAAW,EAAE,CAAC;QAChB,MAAM,CAAC,IAAI,CAAC;YACV,EAAE,EAAE,cAAc;YAClB,KAAK,EAAE,+CAA+C;YACtD,MAAM,EAAE,MAAM;SACf,CAAC,CAAC;IACL,CAAC;IACD,IAAI,eAAe,GAAG,CAAC,EAAE,CAAC;QACxB,MAAM,CAAC,IAAI,CAAC;YACV,EAAE,EAAE,qBAAqB;YACzB,KAAK,EAAE,GAAG,eAAe,2DAA2D;YACpF,MAAM,EAAE,MAAM;SACf,CAAC,CAAC;IACL,CAAC;IACD,IAAI,MAAM,CAAC,MAAM,KAAK,CAAC,EAAE,CAAC;QACxB,OAAO,WAAW,CAAC,+CAA+C,CAAC,CAAC;IACtE,CAAC;IACD,8DAA8D;IAC9D,MAAM,KAAK,GAAG,eAAe,GAAG,CAAC,CAAC,CAAC,CAAC,EAAE,CAAC,CAAC,CAAC,EAAE,CAAC;IAC5C,OAAO;QACL,MAAM,EAAE,MAAM;QACd,KAAK;QACL,OAAO,EACL,eAAe,GAAG,CAAC;YACjB,CAAC,CAAC,mCAAmC,eAAe,mCAAmC;YACvF,CAAC,CAAC,+EAA+E;QACrF,MAAM;KACP,CAAC;AACJ,CAAC;AAED,SAAS,WAAW,CAAC,IAAmB;IACtC,MAAM,GAAG,GAAc,EAAE,CAAC;IAC1B,KAAK,MAAM,KAAK,IAAI,MAAM,CAAC,IAAI,CAAC,IAAI,CAAC,MAAM,CAAgB,EAAE,CAAC;QAC5D,MAAM,IAAI,GAAG,IAAI,CAAC,MAAM,CAAC,KAAK,CAAC,CAAC;QAChC,IAAI,IAAI,EAAE,QAAQ;YAAE,GAAG,CAAC,IAAI,CAAC,GAAG,IAAI,CAAC,QAAQ,CAAC,CAAC;IACjD,CAAC;IACD,OAAO,GAAG,CAAC;AACb,CAAC;AAED;;;;;GAKG;AACH,MAAM,UAAU,wBAAwB,CACtC,QAAmB,EACnB,UAAiC;IAEjC,MAAM,OAAO,GAAG,UAAU,CAAC,GAAG,CAAC,CAAC,SAAS,EAAE,EAAE;QAC3C,MAAM,MAAM,GAAG,qBAAqB,CAAC,QAAQ,EAAE,SAAS,CAAC,CAAC;QAC1D,MAAM,SAAS,GAAG,MAAM,CAAC,MAAM,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,MAAM,KAAK,WAAW,CAAC,CAAC,MAAM,CAAC;QACxE,MAAM,MAAM,GAAG,MAAM,CAAC,MAAM,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,MAAM,KAAK,SAAS,CAAC,CAAC,MAAM,CAAC;QACnE,MAAM,MAAM,GAAG,MAAM,CAAC,MAAM,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,MAAM,KAAK,eAAe,CAAC,CAAC,MAAM,CAAC;QACzE,OAAO;YACL,SAAS;YACT,aAAa,EAAE,MAAM,CAAC,MAAM;YAC5B,iBAAiB,EAAE,SAAS;YAC5B,cAAc,EAAE,MAAM;YACtB,cAAc,EAAE,MAAM;YACtB,QAAQ,EAAE,MAAM,CAAC,GAAG,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC;gBAC3B,SAAS,EAAE,CAAC,CAAC,OAAO,CAAC,EAAE;gBACvB,KAAK,EAAE,CAAC,CAAC,OAAO,CAAC,KAAK;gBACtB,MAAM,EAAE,CAAC,CAAC,CAAC,MAAM,KAAK,WAAW;oBAC/B,CAAC,CAAC,WAAW;oBACb,CAAC,CAAC,CAAC,CAAC,MAAM,KAAK,SAAS;wBACtB,CAAC,CAAC,SAAS;wBACX,CAAC,CAAC,QAAQ,CAA0D;aACzE,CAAC,CAAC;SACJ,CAAC;IACJ,CAAC,CAAC,CAAC;IAEH,MAAM,aAAa,GAAG,OAAO,CAAC,MAAM,CAAC,CAAC,CAAC,EAAE,CAAC,EAAE,EAAE,CAAC,CAAC,GAAG,CAAC,CAAC,aAAa,EAAE,CAAC,CAAC,CAAC;IACvE,MAAM,SAAS,GAAG,OAAO,CAAC,IAAI,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,cAAc,GAAG,CAAC,CAAC,CAAC;IAC5D,MAAM,SAAS,GAAG,OAAO,CAAC,IAAI,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,cAAc,GAAG,CAAC,CAAC,CAAC;IAC5D,MAAM,MAAM,GAA8B,SAAS;QACjD,CAAC,CAAC,MAAM;QACR,CAAC,CAAC,SAAS;YACT,CAAC,CAAC,MAAM;YACR,CAAC,CAAC,MAAM,CAAC;IACb,2DAA2D;IAC3D,MAAM,WAAW,GAAG,OAAO,CAAC,MAAM,CAAC,CAAC,CAAC,EAAE,CAAC,EAAE,EAAE,CAAC,CAAC,GAAG,CAAC,CAAC,cAAc,EAAE,CAAC,CAAC,CAAC;IACtE,MAAM,KAAK,GACT,aAAa,KAAK,CAAC;QACjB,CAAC,CAAC,CAAC;QACH,CAAC,CAAC,IAAI,CAAC,KAAK,CAAC,CAAC,CAAC,aAAa,GAAG,WAAW,CAAC,GAAG,aAAa,CAAC,GAAG,GAAG,CAAC,CAAC;IAExE,OAAO;QACL,MAAM,EAAE,aAAa,KAAK,CAAC,CAAC,CAAC,CAAC,cAAc,CAAC,CAAC,CAAC,MAAM;QACrD,KAAK;QACL,OAAO,EACL,aAAa,KAAK,CAAC;YACjB,CAAC,CAAC,qDAAqD;YACvD,CAAC,CAAC,sBAAsB,UAAU,CAAC,IAAI,CAAC,IAAI,CAAC,KAAK,WAAW,aAAa,aAAa,YAAY;QACvG,UAAU,EAAE,OAAO;KACpB,CAAC;AACJ,CAAC;AAmBD;;;GAGG;AACH,MAAM,UAAU,uBAAuB,CAAC,OAAwB;IAC9D,MAAM,EAAE,GAAoB;QAC1B,MAAM,EAAE,cAAc;QACtB,KAAK,EAAE,CAAC;QACR,OAAO,EAAE,2CAA2C;QACpD,MAAM,EAAE,EAAE;KACX,CAAC;IACF,OAAO;QACL,aAAa,EAAE,wBAAwB;QACvC,aAAa,EAAE,OAAO,CAAC,aAAa;QACpC,OAAO,EAAE;YACP,IAAI,EAAE,OAAO,CAAC,WAAW;YACzB,IAAI,EAAE,OAAO,CAAC,WAAW;YACzB,UAAU,EAAE,OAAO,CAAC,UAAU;SAC/B;QACD,MAAM,EAAE;YACN,IAAI,EAAE,SAAS;YACf,IAAI,EAAE,uBAAuB;YAC7B,WAAW,EAAE,OAAO,CAAC,WAAW;YAChC,KAAK,EAAE,EAAE,IAAI,EAAE,QAAQ,EAAE,EAAE,EAAE,uBAAuB,EAAE;SACvD;QACD,QAAQ,EAAE,OAAO,CAAC,QAAQ;QAC1B,SAAS,EAAE,OAAO,CAAC,SAAS;QAC5B,KAAK,EAAE,iBAAiB;QACxB,YAAY,EAAE,CAAC;QACf,UAAU,EAAE;YACV,QAAQ,EAAE,EAAE;YACZ,WAAW,EAAE,EAAE;YACf,OAAO,EAAE,EAAE;YACX,cAAc,EAAE,EAAE;YAClB,UAAU,EAAE,EAAE,MAAM,EAAE,cAAc,EAAE,KAAK,EAAE,CAAC,EAAE,OAAO,EAAE,EAAE,CAAC,OAAO,EAAE,UAAU,EAAE,EAAE,EAAE;YACrF,KAAK,EAAE,EAAE,MAAM,EAAE,cAAc,EAAE,KAAK,EAAE,CAAC,EAAE,OAAO,EAAE,EAAE,CAAC,OAAO,EAAE,UAAU,EAAE,EAAE,EAAE;SACjF;QACD,UAAU,EAAE,EAAE,eAAe,EAAE,CAAC,EAAE;QAClC,QAAQ,EAAE,EAAE;KACb,CAAC;AACJ,CAAC;AAED;;GAEG;AACH,MAAM,UAAU,8BAA8B,CAC5C,IAAmB,EACnB,OAAmB;IAEnB,MAAM,IAAI,GAAG,IAAI,CAAC,QAAQ,CAAC;IAC3B,MAAM,KAAK,GAAG,IAAI,CAAC,WAAW,IAAI,CAAC,CAAC;IACpC,MAAM,KAAK,GAAuB,IAAI,CAAC,mBAAmB,IAAI,iBAAiB,CAAC;IAEhF,MAAM,gBAAgB,GAAG,cAAc,CAAC,IAAI,EAAE;QAC5C,UAAU;QACV,SAAS;QACT,WAAW;QACX,eAAe;QACf,eAAe;KAChB,CAAC,CAAC;IACH,MAAM,eAAe,GAAG,cAAc,CAAC,IAAI,EAAE,CAAC,SAAS,EAAE,YAAY,CAAC,CAAC,CAAC;IACxE,MAAM,mBAAmB,GAAG,cAAc,CAAC,IAAI,EAAE,CAAC,aAAa,EAAE,aAAa,CAAC,CAAC,CAAC;IAEjF,MAAM,UAAU,GAAG,CAAC,KAAgB,EAAU,EAAE,CAC9C,IAAI,CAAC,MAAM,CAAC,KAAK,CAAC,EAAE,OAAO,EAAE,gBAAgB,IAAI,KAAK,CAAC;IAEzD,MAAM,SAAS,GAAI,MAAM,CAAC,IAAI,CAAC,IAAI,CAAC,MAAM,CAAiB,CAAC,MAAM,CAChE,CAAC,CAAC,EAAE,EAAE,CAAC,IAAI,CAAC,MAAM,CAAC,CAAC,CAAC,EAAE,MAAM,KAAK,WAAW,CAC9C,CAAC;IAEF,OAAO;QACL,aAAa,EAAE,wBAAwB;QACvC,aAAa,EAAE,OAAO,CAAC,aAAa;QACpC,OAAO,EAAE;YACP,IAAI,EAAE,UAAU;YAChB,IAAI,EAAE,IAAI,CAAC,YAAY;YACvB,UAAU,EAAE,IAAI,CAAC,YAAY;YAC7B,MAAM,EAAE,IAAI,CAAC,YAAY;SAC1B;QACD,MAAM,EAAE;YACN,IAAI,EAAE,SAAS;YACf,IAAI,EAAE,uBAAuB;YAC7B,WAAW,EAAE,OAAO,CAAC,WAAW;YAChC,KAAK,EAAE,EAAE,IAAI,EAAE,QAAQ,EAAE,EAAE,EAAE,uBAAuB,EAAE;SACvD;QACD,QAAQ,EAAE,OAAO,CAAC,QAAQ;QAC1B,SAAS,EAAE,OAAO,CAAC,SAAS;QAC5B,KAAK;QACL,YAAY,EAAE,IAAI,CAAC,GAAG,CAAC,CAAC,EAAE,IAAI,CAAC,GAAG,CAAC,GAAG,EAAE,KAAK,CAAC,CAAC;QAC/C,UAAU,EAAE;YACV,QAAQ,EAAE,qBAAqB,CAC7B,gBAAgB,EAChB,UAAU,CAAC,UAAU,CAAC,EACtB,UAAU,CACX;YACD,WAAW,EAAE,mBAAmB,CAAC,MAAM;gBACrC,CAAC,CAAC,qBAAqB,CAAC,mBAAmB,EAAE,UAAU,CAAC,aAAa,CAAC,EAAE,aAAa,CAAC;gBACtF,CAAC,CAAC,WAAW,CAAC,6DAA6D,CAAC;YAC9E,OAAO,EAAE,qBAAqB,CAAC,eAAe,EAAE,UAAU,CAAC,SAAS,CAAC,EAAE,SAAS,CAAC;YACjF,cAAc,EAAE,4BAA4B,CAC1C,IAAI,CAAC,YAAY,EACjB,OAAO,CAAC,UAAU,EAAE,eAAe,IAAI,CAAC,CACzC;YACD,UAAU,EACR,OAAO,CAAC,oBAAoB,IAAI,OAAO,CAAC,oBAAoB,CAAC,MAAM,GAAG,CAAC;gBACrE,CAAC,CAAC,wBAAwB,CAAC,WAAW,CAAC,IAAI,CAAC,EAAE,OAAO,CAAC,oBAAoB,CAAC;gBAC3E,CAAC,CAAC;oBACE,MAAM,EAAE,cAAc;oBACtB,KAAK,EAAE,CAAC;oBACR,OAAO,EACL,8FAA8F;oBAChG,UAAU,EAAE,EAAE;iBACf;YACP,KAAK,EAAE;gBACL,MAAM,EAAE,SAAS,CAAC,MAAM,CAAC,CAAC,CAAC,MAAM,CAAC,CAAC,CAAC,cAAc;gBAClD,KAAK,EAAE,SAAS,CAAC,MAAM,CAAC,CAAC,CAAC,EAAE,CAAC,CAAC,CAAC,CAAC;gBAChC,OAAO,EAAE,GAAG,SAAS,CAAC,MAAM,gCAAgC;gBAC5D,UAAU,EAAE,SAAS,CAAC,GAAG,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC;oBAChC,IAAI,EAAE,CAAC;oBACP,IAAI,EAAE,MAAe;oBACrB,IAAI,EAAE,qBAAqB;iBAC5B,CAAC,CAAC;aACJ;SACF;QACD,UAAU,EAAE,OAAO,CAAC,UAAU,IAAI;YAChC,GAAG,CAAC,IAAI,CAAC,YAAY,CAAC,CAAC,CAAC,EAAE,cAAc,EAAE,IAAI,CAAC,YAAY,EAAE,CAAC,CAAC,CAAC,EAAE,CAAC;YACnE,eAAe,EAAE,CAAC;SACnB;QACD,QAAQ,EAAE,EAAE;KACb,CAAC;AACJ,CAAC"}
|
|
@@ -0,0 +1,25 @@
|
|
|
1
|
+
/**
|
|
2
|
+
* Sample agent certificate builder.
|
|
3
|
+
*
|
|
4
|
+
* Produces a realistic certificate body for the Vaspera Hardening MCP
|
|
5
|
+
* server itself — the dogfood. It reflects the actual hardened state of
|
|
6
|
+
* this codebase, so the sample doubles as proof the platform certifies
|
|
7
|
+
* its own primary use case.
|
|
8
|
+
*
|
|
9
|
+
* @module certification/agent-certificate-sample
|
|
10
|
+
*/
|
|
11
|
+
import type { AgentCertificateBody } from "./agent-certificate.js";
|
|
12
|
+
export interface SampleOptions {
|
|
13
|
+
toolVersion: string;
|
|
14
|
+
/** ISO timestamp for issuedAt (kept injectable for deterministic tests). */
|
|
15
|
+
issuedAt: string;
|
|
16
|
+
/** ISO timestamp for expiresAt. */
|
|
17
|
+
expiresAt: string;
|
|
18
|
+
certificateId: string;
|
|
19
|
+
}
|
|
20
|
+
/**
|
|
21
|
+
* Build a sample certificate body certifying the vaspera-hardening MCP
|
|
22
|
+
* server. Values mirror the real hardening work landed this cycle.
|
|
23
|
+
*/
|
|
24
|
+
export declare function buildSampleCertificateBody(options: SampleOptions): AgentCertificateBody;
|
|
25
|
+
//# sourceMappingURL=agent-certificate-sample.d.ts.map
|
|
@@ -0,0 +1 @@
|
|
|
1
|
+
{"version":3,"file":"agent-certificate-sample.d.ts","sourceRoot":"","sources":["../../src/certification/agent-certificate-sample.ts"],"names":[],"mappings":"AAAA;;;;;;;;;GASG;AAGH,OAAO,KAAK,EAAE,oBAAoB,EAAE,MAAM,wBAAwB,CAAC;AAEnE,MAAM,WAAW,aAAa;IAC5B,WAAW,EAAE,MAAM,CAAC;IACpB,4EAA4E;IAC5E,QAAQ,EAAE,MAAM,CAAC;IACjB,mCAAmC;IACnC,SAAS,EAAE,MAAM,CAAC;IAClB,aAAa,EAAE,MAAM,CAAC;CACvB;AAED;;;GAGG;AACH,wBAAgB,0BAA0B,CAAC,OAAO,EAAE,aAAa,GAAG,oBAAoB,CAsMvF"}
|
|
@@ -0,0 +1,207 @@
|
|
|
1
|
+
/**
|
|
2
|
+
* Sample agent certificate builder.
|
|
3
|
+
*
|
|
4
|
+
* Produces a realistic certificate body for the Vaspera Hardening MCP
|
|
5
|
+
* server itself — the dogfood. It reflects the actual hardened state of
|
|
6
|
+
* this codebase, so the sample doubles as proof the platform certifies
|
|
7
|
+
* its own primary use case.
|
|
8
|
+
*
|
|
9
|
+
* @module certification/agent-certificate-sample
|
|
10
|
+
*/
|
|
11
|
+
import { AGENT_CERTIFICATE_SCHEMA } from "./agent-certificate.js";
|
|
12
|
+
/**
|
|
13
|
+
* Build a sample certificate body certifying the vaspera-hardening MCP
|
|
14
|
+
* server. Values mirror the real hardening work landed this cycle.
|
|
15
|
+
*/
|
|
16
|
+
export function buildSampleCertificateBody(options) {
|
|
17
|
+
const { toolVersion, issuedAt, expiresAt, certificateId } = options;
|
|
18
|
+
return {
|
|
19
|
+
schemaVersion: AGENT_CERTIFICATE_SCHEMA,
|
|
20
|
+
certificateId,
|
|
21
|
+
subject: {
|
|
22
|
+
kind: "mcp-server",
|
|
23
|
+
name: "vaspera-hardening-mcp-server",
|
|
24
|
+
version: toolVersion,
|
|
25
|
+
identifier: "https://github.com/RCOLKITT/hardening-mcp",
|
|
26
|
+
description: "MCP server that certifies AI-generated code and AI agents for production readiness.",
|
|
27
|
+
},
|
|
28
|
+
issuer: {
|
|
29
|
+
name: "Vaspera",
|
|
30
|
+
tool: "vaspera-hardening-mcp",
|
|
31
|
+
toolVersion,
|
|
32
|
+
actor: { type: "system", id: "vaspera-self-certification" },
|
|
33
|
+
},
|
|
34
|
+
issuedAt,
|
|
35
|
+
expiresAt,
|
|
36
|
+
level: "CERTIFIED",
|
|
37
|
+
overallScore: 94,
|
|
38
|
+
dimensions: {
|
|
39
|
+
security: {
|
|
40
|
+
status: "pass",
|
|
41
|
+
score: 96,
|
|
42
|
+
summary: "Bearer-auth enforced on the HTTP surface, command injection eliminated across scanner adapters, untrusted paths contained, secrets redacted in logs.",
|
|
43
|
+
checks: [
|
|
44
|
+
{
|
|
45
|
+
id: "http-auth-required",
|
|
46
|
+
title: "HTTP MCP endpoint requires a bearer token (fails closed)",
|
|
47
|
+
status: "pass",
|
|
48
|
+
severity: "critical",
|
|
49
|
+
category: "auth-bypass",
|
|
50
|
+
},
|
|
51
|
+
{
|
|
52
|
+
id: "no-shell-exec",
|
|
53
|
+
title: "Scanner adapters use execFile (no string-concat shell)",
|
|
54
|
+
status: "pass",
|
|
55
|
+
severity: "critical",
|
|
56
|
+
category: "command-injection",
|
|
57
|
+
},
|
|
58
|
+
{
|
|
59
|
+
id: "path-containment",
|
|
60
|
+
title: "project_path and secondary file args are containment-checked",
|
|
61
|
+
status: "pass",
|
|
62
|
+
severity: "high",
|
|
63
|
+
category: "path-traversal",
|
|
64
|
+
},
|
|
65
|
+
{
|
|
66
|
+
id: "http-tool-policy",
|
|
67
|
+
title: "Only read-only tools are exposed over HTTP by default",
|
|
68
|
+
status: "pass",
|
|
69
|
+
severity: "high",
|
|
70
|
+
category: "excessive-agency",
|
|
71
|
+
},
|
|
72
|
+
{
|
|
73
|
+
id: "log-redaction",
|
|
74
|
+
title: "Secrets (incl. embedded tokens) redacted from logs",
|
|
75
|
+
status: "pass",
|
|
76
|
+
severity: "medium",
|
|
77
|
+
category: "sensitive-disclosure",
|
|
78
|
+
},
|
|
79
|
+
],
|
|
80
|
+
},
|
|
81
|
+
scalability: {
|
|
82
|
+
status: "pass",
|
|
83
|
+
score: 88,
|
|
84
|
+
summary: "Stateless per-request transport with a serialization mutex and a hard request timeout; no unbounded request bodies.",
|
|
85
|
+
checks: [
|
|
86
|
+
{
|
|
87
|
+
id: "request-timeout",
|
|
88
|
+
title: "Per-request timeout prevents a hung handler from wedging the endpoint",
|
|
89
|
+
status: "pass",
|
|
90
|
+
severity: "high",
|
|
91
|
+
category: "resource-exhaustion",
|
|
92
|
+
},
|
|
93
|
+
{
|
|
94
|
+
id: "body-size-cap",
|
|
95
|
+
title: "Request bodies capped at 10MB",
|
|
96
|
+
status: "pass",
|
|
97
|
+
severity: "medium",
|
|
98
|
+
},
|
|
99
|
+
{
|
|
100
|
+
id: "load-profile",
|
|
101
|
+
title: "Sustained-load profile not yet benchmarked",
|
|
102
|
+
status: "warn",
|
|
103
|
+
severity: "low",
|
|
104
|
+
detail: "Scalability benchmark is a planned addition.",
|
|
105
|
+
},
|
|
106
|
+
],
|
|
107
|
+
},
|
|
108
|
+
quality: {
|
|
109
|
+
status: "pass",
|
|
110
|
+
score: 93,
|
|
111
|
+
summary: "TypeScript strict mode, 1800+ passing tests, and a constitution-as-code ratchet that blocks new shell-exec / raw JSON.parse / bare throws.",
|
|
112
|
+
checks: [
|
|
113
|
+
{
|
|
114
|
+
id: "tests-green",
|
|
115
|
+
title: "Full test suite passes (97 files / 1839 tests)",
|
|
116
|
+
status: "pass",
|
|
117
|
+
},
|
|
118
|
+
{
|
|
119
|
+
id: "constitution-ratchet",
|
|
120
|
+
title: "Constitution baseline ratchet enforced in CI",
|
|
121
|
+
status: "pass",
|
|
122
|
+
},
|
|
123
|
+
{
|
|
124
|
+
id: "self-certify-gate",
|
|
125
|
+
title: "Self-certification is a blocking CI gate",
|
|
126
|
+
status: "pass",
|
|
127
|
+
},
|
|
128
|
+
{
|
|
129
|
+
id: "debt-baseline",
|
|
130
|
+
title: "Legacy JSON.parse/throw debt grandfathered (burning down)",
|
|
131
|
+
status: "warn",
|
|
132
|
+
severity: "low",
|
|
133
|
+
},
|
|
134
|
+
],
|
|
135
|
+
},
|
|
136
|
+
explainability: {
|
|
137
|
+
status: "pass",
|
|
138
|
+
score: 90,
|
|
139
|
+
summary: "Tamper-evident hash-chained audit trail records certification decisions; findings carry evidence and reproducible scoring.",
|
|
140
|
+
checks: [
|
|
141
|
+
{
|
|
142
|
+
id: "audit-hash-chain",
|
|
143
|
+
title: "Decision/audit entries are hash-chained (tamper-evident)",
|
|
144
|
+
status: "pass",
|
|
145
|
+
severity: "high",
|
|
146
|
+
},
|
|
147
|
+
{
|
|
148
|
+
id: "signed-evidence",
|
|
149
|
+
title: "Evidence bundles are digest-addressed and Sigstore-signable",
|
|
150
|
+
status: "pass",
|
|
151
|
+
},
|
|
152
|
+
{
|
|
153
|
+
id: "decision-provenance",
|
|
154
|
+
title: "Per-decision runtime provenance capture (planned extension)",
|
|
155
|
+
status: "warn",
|
|
156
|
+
severity: "low",
|
|
157
|
+
},
|
|
158
|
+
],
|
|
159
|
+
},
|
|
160
|
+
compliance: {
|
|
161
|
+
status: "pass",
|
|
162
|
+
score: 91,
|
|
163
|
+
summary: "Mapped to OWASP LLM Top 10 today; ISO 42001 / NIST AI RMF mappings staged as the next certification-layer addition.",
|
|
164
|
+
frameworks: [
|
|
165
|
+
{
|
|
166
|
+
framework: "OWASP-LLM",
|
|
167
|
+
controlsTotal: 10,
|
|
168
|
+
controlsSatisfied: 9,
|
|
169
|
+
controlsAtRisk: 1,
|
|
170
|
+
controlsFailed: 0,
|
|
171
|
+
},
|
|
172
|
+
{
|
|
173
|
+
framework: "NIST-AI-RMF",
|
|
174
|
+
controlsTotal: 4,
|
|
175
|
+
controlsSatisfied: 3,
|
|
176
|
+
controlsAtRisk: 1,
|
|
177
|
+
controlsFailed: 0,
|
|
178
|
+
controls: [
|
|
179
|
+
{ controlId: "GOVERN", title: "Governance & policy", status: "satisfied" },
|
|
180
|
+
{ controlId: "MAP", title: "Context mapping", status: "satisfied" },
|
|
181
|
+
{ controlId: "MEASURE", title: "Measurement & metrics", status: "at_risk" },
|
|
182
|
+
{ controlId: "MANAGE", title: "Risk management", status: "satisfied" },
|
|
183
|
+
],
|
|
184
|
+
},
|
|
185
|
+
],
|
|
186
|
+
},
|
|
187
|
+
aiBom: {
|
|
188
|
+
status: "pass",
|
|
189
|
+
score: 92,
|
|
190
|
+
summary: "Deterministic scanners + multi-model consensus + agent-security scanners; 110 MCP tools enumerated.",
|
|
191
|
+
components: [
|
|
192
|
+
{ name: "semgrep", kind: "tool", role: "SAST scanner" },
|
|
193
|
+
{ name: "trivy", kind: "tool", role: "SCA / IaC scanner" },
|
|
194
|
+
{ name: "gitleaks", kind: "tool", role: "secret scanner" },
|
|
195
|
+
{ name: "prompt-injection-fuzzer", kind: "tool", role: "agent-security scanner" },
|
|
196
|
+
{ name: "exfil-path-graph", kind: "tool", role: "agent-security scanner" },
|
|
197
|
+
{ name: "multi-model-consensus", kind: "model", role: "LLM analysis consensus" },
|
|
198
|
+
],
|
|
199
|
+
},
|
|
200
|
+
},
|
|
201
|
+
provenance: {
|
|
202
|
+
decisionRecords: 0,
|
|
203
|
+
},
|
|
204
|
+
evidence: [],
|
|
205
|
+
};
|
|
206
|
+
}
|
|
207
|
+
//# sourceMappingURL=agent-certificate-sample.js.map
|
|
@@ -0,0 +1 @@
|
|
|
1
|
+
{"version":3,"file":"agent-certificate-sample.js","sourceRoot":"","sources":["../../src/certification/agent-certificate-sample.ts"],"names":[],"mappings":"AAAA;;;;;;;;;GASG;AAEH,OAAO,EAAE,wBAAwB,EAAE,MAAM,wBAAwB,CAAC;AAYlE;;;GAGG;AACH,MAAM,UAAU,0BAA0B,CAAC,OAAsB;IAC/D,MAAM,EAAE,WAAW,EAAE,QAAQ,EAAE,SAAS,EAAE,aAAa,EAAE,GAAG,OAAO,CAAC;IAEpE,OAAO;QACL,aAAa,EAAE,wBAAwB;QACvC,aAAa;QACb,OAAO,EAAE;YACP,IAAI,EAAE,YAAY;YAClB,IAAI,EAAE,8BAA8B;YACpC,OAAO,EAAE,WAAW;YACpB,UAAU,EAAE,2CAA2C;YACvD,WAAW,EACT,qFAAqF;SACxF;QACD,MAAM,EAAE;YACN,IAAI,EAAE,SAAS;YACf,IAAI,EAAE,uBAAuB;YAC7B,WAAW;YACX,KAAK,EAAE,EAAE,IAAI,EAAE,QAAQ,EAAE,EAAE,EAAE,4BAA4B,EAAE;SAC5D;QACD,QAAQ;QACR,SAAS;QACT,KAAK,EAAE,WAAW;QAClB,YAAY,EAAE,EAAE;QAChB,UAAU,EAAE;YACV,QAAQ,EAAE;gBACR,MAAM,EAAE,MAAM;gBACd,KAAK,EAAE,EAAE;gBACT,OAAO,EACL,sJAAsJ;gBACxJ,MAAM,EAAE;oBACN;wBACE,EAAE,EAAE,oBAAoB;wBACxB,KAAK,EAAE,0DAA0D;wBACjE,MAAM,EAAE,MAAM;wBACd,QAAQ,EAAE,UAAU;wBACpB,QAAQ,EAAE,aAAa;qBACxB;oBACD;wBACE,EAAE,EAAE,eAAe;wBACnB,KAAK,EAAE,wDAAwD;wBAC/D,MAAM,EAAE,MAAM;wBACd,QAAQ,EAAE,UAAU;wBACpB,QAAQ,EAAE,mBAAmB;qBAC9B;oBACD;wBACE,EAAE,EAAE,kBAAkB;wBACtB,KAAK,EAAE,8DAA8D;wBACrE,MAAM,EAAE,MAAM;wBACd,QAAQ,EAAE,MAAM;wBAChB,QAAQ,EAAE,gBAAgB;qBAC3B;oBACD;wBACE,EAAE,EAAE,kBAAkB;wBACtB,KAAK,EAAE,uDAAuD;wBAC9D,MAAM,EAAE,MAAM;wBACd,QAAQ,EAAE,MAAM;wBAChB,QAAQ,EAAE,kBAAkB;qBAC7B;oBACD;wBACE,EAAE,EAAE,eAAe;wBACnB,KAAK,EAAE,oDAAoD;wBAC3D,MAAM,EAAE,MAAM;wBACd,QAAQ,EAAE,QAAQ;wBAClB,QAAQ,EAAE,sBAAsB;qBACjC;iBACF;aACF;YACD,WAAW,EAAE;gBACX,MAAM,EAAE,MAAM;gBACd,KAAK,EAAE,EAAE;gBACT,OAAO,EACL,qHAAqH;gBACvH,MAAM,EAAE;oBACN;wBACE,EAAE,EAAE,iBAAiB;wBACrB,KAAK,EAAE,uEAAuE;wBAC9E,MAAM,EAAE,MAAM;wBACd,QAAQ,EAAE,MAAM;wBAChB,QAAQ,EAAE,qBAAqB;qBAChC;oBACD;wBACE,EAAE,EAAE,eAAe;wBACnB,KAAK,EAAE,+BAA+B;wBACtC,MAAM,EAAE,MAAM;wBACd,QAAQ,EAAE,QAAQ;qBACnB;oBACD;wBACE,EAAE,EAAE,cAAc;wBAClB,KAAK,EAAE,4CAA4C;wBACnD,MAAM,EAAE,MAAM;wBACd,QAAQ,EAAE,KAAK;wBACf,MAAM,EAAE,8CAA8C;qBACvD;iBACF;aACF;YACD,OAAO,EAAE;gBACP,MAAM,EAAE,MAAM;gBACd,KAAK,EAAE,EAAE;gBACT,OAAO,EACL,4IAA4I;gBAC9I,MAAM,EAAE;oBACN;wBACE,EAAE,EAAE,aAAa;wBACjB,KAAK,EAAE,gDAAgD;wBACvD,MAAM,EAAE,MAAM;qBACf;oBACD;wBACE,EAAE,EAAE,sBAAsB;wBAC1B,KAAK,EAAE,8CAA8C;wBACrD,MAAM,EAAE,MAAM;qBACf;oBACD;wBACE,EAAE,EAAE,mBAAmB;wBACvB,KAAK,EAAE,0CAA0C;wBACjD,MAAM,EAAE,MAAM;qBACf;oBACD;wBACE,EAAE,EAAE,eAAe;wBACnB,KAAK,EAAE,2DAA2D;wBAClE,MAAM,EAAE,MAAM;wBACd,QAAQ,EAAE,KAAK;qBAChB;iBACF;aACF;YACD,cAAc,EAAE;gBACd,MAAM,EAAE,MAAM;gBACd,KAAK,EAAE,EAAE;gBACT,OAAO,EACL,4HAA4H;gBAC9H,MAAM,EAAE;oBACN;wBACE,EAAE,EAAE,kBAAkB;wBACtB,KAAK,EAAE,0DAA0D;wBACjE,MAAM,EAAE,MAAM;wBACd,QAAQ,EAAE,MAAM;qBACjB;oBACD;wBACE,EAAE,EAAE,iBAAiB;wBACrB,KAAK,EAAE,6DAA6D;wBACpE,MAAM,EAAE,MAAM;qBACf;oBACD;wBACE,EAAE,EAAE,qBAAqB;wBACzB,KAAK,EAAE,6DAA6D;wBACpE,MAAM,EAAE,MAAM;wBACd,QAAQ,EAAE,KAAK;qBAChB;iBACF;aACF;YACD,UAAU,EAAE;gBACV,MAAM,EAAE,MAAM;gBACd,KAAK,EAAE,EAAE;gBACT,OAAO,EACL,qHAAqH;gBACvH,UAAU,EAAE;oBACV;wBACE,SAAS,EAAE,WAAW;wBACtB,aAAa,EAAE,EAAE;wBACjB,iBAAiB,EAAE,CAAC;wBACpB,cAAc,EAAE,CAAC;wBACjB,cAAc,EAAE,CAAC;qBAClB;oBACD;wBACE,SAAS,EAAE,aAAa;wBACxB,aAAa,EAAE,CAAC;wBAChB,iBAAiB,EAAE,CAAC;wBACpB,cAAc,EAAE,CAAC;wBACjB,cAAc,EAAE,CAAC;wBACjB,QAAQ,EAAE;4BACR,EAAE,SAAS,EAAE,QAAQ,EAAE,KAAK,EAAE,qBAAqB,EAAE,MAAM,EAAE,WAAW,EAAE;4BAC1E,EAAE,SAAS,EAAE,KAAK,EAAE,KAAK,EAAE,iBAAiB,EAAE,MAAM,EAAE,WAAW,EAAE;4BACnE,EAAE,SAAS,EAAE,SAAS,EAAE,KAAK,EAAE,uBAAuB,EAAE,MAAM,EAAE,SAAS,EAAE;4BAC3E,EAAE,SAAS,EAAE,QAAQ,EAAE,KAAK,EAAE,iBAAiB,EAAE,MAAM,EAAE,WAAW,EAAE;yBACvE;qBACF;iBACF;aACF;YACD,KAAK,EAAE;gBACL,MAAM,EAAE,MAAM;gBACd,KAAK,EAAE,EAAE;gBACT,OAAO,EACL,qGAAqG;gBACvG,UAAU,EAAE;oBACV,EAAE,IAAI,EAAE,SAAS,EAAE,IAAI,EAAE,MAAM,EAAE,IAAI,EAAE,cAAc,EAAE;oBACvD,EAAE,IAAI,EAAE,OAAO,EAAE,IAAI,EAAE,MAAM,EAAE,IAAI,EAAE,mBAAmB,EAAE;oBAC1D,EAAE,IAAI,EAAE,UAAU,EAAE,IAAI,EAAE,MAAM,EAAE,IAAI,EAAE,gBAAgB,EAAE;oBAC1D,EAAE,IAAI,EAAE,yBAAyB,EAAE,IAAI,EAAE,MAAM,EAAE,IAAI,EAAE,wBAAwB,EAAE;oBACjF,EAAE,IAAI,EAAE,kBAAkB,EAAE,IAAI,EAAE,MAAM,EAAE,IAAI,EAAE,wBAAwB,EAAE;oBAC1E,EAAE,IAAI,EAAE,uBAAuB,EAAE,IAAI,EAAE,OAAO,EAAE,IAAI,EAAE,wBAAwB,EAAE;iBACjF;aACF;SACF;QACD,UAAU,EAAE;YACV,eAAe,EAAE,CAAC;SACnB;QACD,QAAQ,EAAE,EAAE;KACb,CAAC;AACJ,CAAC"}
|